Tag Archives: knowledge based authentication

Lately I’ve noticed a certain type of post circulating on social networks. I don’t know if they have a name, but they generally appeal to a sense of nostalgia. There will be an image of an old telephone with the question, “Do you remember your childhood telephone number?” Another one asks which movie you love that you’ve seen over and over. And people dutifully post their responses to these questions as comments on the post.

Now, here’s the issue: there is a thing called “Knowledge-Based Authentication” (KBA). It is a deeply flawed but still very common online security practice that asks the user to answer a series of multiple-choice questions that supposedly only he or she would know the answer to. Several of the major credit bureaus use it when you place a freeze on your credit through their websites. So you might get a question like:

If you responded to a Facebook post about your phone number growing up, there is a small chance you have just put one of your KBA answers out on the public internet.

What about that “movie you’ve seen over and over” question? Have you ever logged into an online account and had to create answers to security questions? These are designed as a line of defense against unauthorized login attempts; if a login from a different computer or location is detected, it will trigger the security questions and prevent further access if they are answered incorrectly.

“What is your favorite movie?” is definitely the type of security question that could be used by a website, and if there’s a movie you’ve seen many times, chances are it’s your favorite. If you answered the post, you may have revealed the answer to one of your security questions to the world. Several celebrities have had their Twitter accounts hacked because they used real, easy-to-find-out answers for their security questions.

Of course, these tiny pieces of information are simply pieces, not the whole puzzle. But the more puzzle pieces are in place, the more you begin to see the whole picture. The less information you put out there, the better – you don’t owe the internet anything. Think before you post any personal information online, even if it seems innocuous or silly on the surface. Anything you reveal can be used against you.